19 Jan
2021
19 Jan
'21
12:00
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&am…
Please do not reply to this email to report issues, rather file a bug
on bugzilla.opensuse.org. For more information on filing bugs please
see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
LibVNCServer
MozillaThunderbird (78.6.0 -> 78.6.1)
alpine (2.23.2 -> 2.24)
firewalld
fprintd (1.90.8 -> 1.90.9)
gpgme (1.15.0 -> 1.15.1)
gpgmeqt (1.15.0 -> 1.15.1)
heaptrack
kmod
libgarcon (0.8.0 -> 4.16.1)
libinput
libqmi (1.26.6 -> 1.26.8)
libqt5-qtdeclarative
libzypp (17.25.5 -> 17.25.6)
mozjs78 (78.5.0 -> 78.6.1)
net-tools
openafs (1.8.6.1 -> 1.8.7)
ovmf
perl-Mail-AuthenticationResults (1.20200824.1 -> 2.20210112)
psmisc (23.2 -> 23.3)
python-zope.proxy
rav1e (0.3.4 -> 0.4.0)
redis (6.0.9 -> 6.0.10)
speexdsp
sudo (1.9.4p2 -> 1.9.5p1)
vlc
wireshark
xfce4-appfinder (4.16.0 -> 4.16.1)
xfce4-screensaver
xfce4-whiskermenu-plugin (2.5.1 -> 2.5.2)
yast2-bootloader (4.3.16 -> 4.3.17)
yast2-storage-ng (4.3.35 -> 4.3.37)
zypper (1.14.41 -> 1.14.42)
=== Details ===
==== LibVNCServer ====
Subpackages: libvncclient1 libvncserver1
- Add many patches needed for GNOME Remote desktop (already in
Fedora):
* TLS security type enablement patches gh#LibVNC/libvncserver!234
- 0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch
- 0002-libvncserver-Add-channel-security-handlers.patch
- 0003-libvncserver-auth-don-t-keep-security-handlers-from-.patch
* Fix crash on all runs after the first gh#LibVNC/libvncserver!444 rh#1882718
- 0004-zlib-Clear-buffer-pointers-on-cleanup-444.patch
* Fix another crasher glgo#GNOME/gnome-remote-desktop#45 rh#1882718
- 0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch
==== MozillaThunderbird ====
Version update (78.6.0 -> 78.6.1)
Subpackages: MozillaThunderbird-translations-common
- Mozilla Thunderbird 78.6.1
MFSA 2021-02 (bsc#1180623)
* CVE-2020-16044 (bmo#1683964)
Use-after-free write when handling a malicious COOKIE-ECHO SCTP
chunk
==== alpine ====
Version update (2.23.2 -> 2.24)
Subpackages: pico
- Update to release 2.24
* A few crash fixes
* Implementation of XOAUTH2 for Yahoo! Mail.
==== firewalld ====
Subpackages: firewalld-lang python3-firewall
- Add dependency for firewall-offline-cmd (bsc#1180883)
==== fprintd ====
Version update (1.90.8 -> 1.90.9)
Subpackages: fprintd-lang fprintd-pam fprintd-pam-32bit
- Update to version 1.90.9
* Fix multiple daemon lockup issues (#97)
* Fix print garbage collection to not delete used prints
* pam: Use the device with the most prints
==== gpgme ====
Version update (1.15.0 -> 1.15.1)
Subpackages: libgpgme11 libgpgmepp6 python38-gpg
- gpgme 1.15.1:
* Fix a bug in the secret key export
* Make listing of signatures work if only secret keys are listed
* qt: Avoid empty "rem(a)gnupg.org" signature notations
* python: Fix key_export functions
- remove deprecated texinfo macros
==== gpgmeqt ====
Version update (1.15.0 -> 1.15.1)
- gpgme 1.15.1:
* Fix a bug in the secret key export
* Make listing of signatures work if only secret keys are listed
* qt: Avoid empty "rem(a)gnupg.org" signature notations
* python: Fix key_export functions
- remove deprecated texinfo macros
==== heaptrack ====
Subpackages: heaptrack-gui heaptrack-lang
- Add quotes to text comparison to fix build with rpm 4.16.
==== kmod ====
Subpackages: libkmod2
- Update usr-lib-modprobe.patch to upstream submission (boo#1180821).
- Require libxslt-tools for xsltproc and use local stylesheet.
+ no-stylesheet-download.patch
==== libgarcon ====
Version update (0.8.0 -> 4.16.1)
Subpackages: libgarcon-1-0 libgarcon-data libgarcon-lang
- Update to version 4.16.1
* Launch applications as children again (gxo#xfce/garcon#18)
* Translation Updates
==== libinput ====
Subpackages: libinput-udev libinput10
- Limit the dep libinput-debug-gui -> libinput-tools only to
%{version}, not %{version}-%{release}. As they are not built in
the same run, the rebuild counters are not guaranteed to match
forever.
==== libqmi ====
Version update (1.26.6 -> 1.26.8)
Subpackages: libqmi-glib5 libqmi-tools
- update to 1.26.8:
* libqmi-glib:
+ Fix proxy segfault when accessing length of NULL GArray.
+ Add "Release USSD" indication to Basic collection.
* qmicli:
+ Fix element types used in "NAS Get Cell Location Info".
* Several other minor improvements and fixes.
==== libqt5-qtdeclarative ====
- Enable qml-autoreqprov
==== libzypp ====
Version update (17.25.5 -> 17.25.6)
- Rephrase solver problem descriptions (jsc#SLE-8482)
- Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
- Multicurl backend breaks with with unknown filesize (fixes #277)
- version 17.25.6 (22)
==== mozjs78 ====
Version update (78.5.0 -> 78.6.1)
- Update to version 78.6.1esr.
==== net-tools ====
Subpackages: net-tools-lang
- prepare usrmerge (boo#1029961)
==== openafs ====
Version update (1.8.6.1 -> 1.8.7)
Subpackages: openafs-client openafs-kmp-default
- update to HEAD of git branch openafs-stable-1_8_x
* fix critical bug described in
https://lists.openafs.org/pipermail/openafs-info/2021-January/043026.html
* remove remove-get_ds-usage.patch
* remove add_arch_to_linux_kernel_make.patch
==== ovmf ====
Subpackages: qemu-ovmf-x86_64 qemu-uefi-aarch64
- Add ovmf-bsc1180079-amd-sev-es-mitigation.patch to mitigate the
potential AMD SEV-ES security issues (bsc#1180079)
- Add the json descriptor for xen-hvm (bsc#1180050)
==== perl-Mail-AuthenticationResults ====
Version update (1.20200824.1 -> 2.20210112)
- updated to 2.20210112
see /usr/share/doc/packages/perl-Mail-AuthenticationResults/Changes
2.20210112 2021-01-12 22:10:28+00:00 UTC
- Switch to a purely numeric version string
==== psmisc ====
Version update (23.2 -> 23.3)
Subpackages: psmisc-lang
- Now with 23.3 peekfd is build even for aarch64
- Rework 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
and split off the patch psmisc-v23.3-selinux.patch
- Rework 0002-Use-new-statx-2-system-call-to-avoid-hangs-on-NFS.patch
- New patch psmisc-v23.3-selinux.patch
- Rename patch psmisc-v23.2.dif which is now psmisc-v23.3.dif
- Update to 23.3:
* killall: check also truncated 16 char comm names Debian
* fuser: Return early if have nulls
* peekfd: Add support for ARM64
* pstree: Add color by age
* fuser: Use larger inode sizes
- Rebase 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
- Rebase 0002-Use-new-statx-2-system-call-to-avoid-hangs-on-NFS.patch
- Rebase psmisc-22.21-pstree.patch
==== python-zope.proxy ====
- Let the python-rpm-macros automatically figure out the correct
provides and obsoletes for the flavor
==== rav1e ====
Version update (0.3.4 -> 0.4.0)
- Update to version 0.4.0
* https://github.com/xiph/rav1e/releases/tag/v0.4.0
==== redis ====
Version update (6.0.9 -> 6.0.10)
- HTTPS download link for source
- redis 6.0.10:
Command behavior changes:
* SWAPDB invalidates WATCHed keys (#8239)
* SORT command behaves differently when used on a writable replica (#8283)
* EXISTS should not alter LRU (#8016)
In Redis 5.0 and 6.0 it would have touched the LRU/LFU of the key.
* OBJECT should not reveal logically expired keys (#8016)
Will now behave the same TYPE or any other non-DEBUG command.
* GEORADIUS[BYMEMBER] can fail with -OOM if Redis is over the memory limit (#8107)
Other behavior changes:
* Sentinel: Fix missing updates to the config file after SENTINEL SET command (#8229)
* CONFIG REWRITE is atomic and safer, but requires write access to the config
file's folder (#7824, #8051)
This change was already present in 6.0.9, but was missing from the release notes.
Bug fixes with compatibility implications (bugs introduced in Redis 6.0):
* Fix RDB CRC64 checksum on big-endian systems (#8270)
If you're using big-endian please consider the compatibility implications with
RESTORE, replication and persistence.
* Fix wrong order of key/value in Lua's map response (#8266)
If your scripts use redis.setresp() or return a map (new in Redis 6.0), please
consider the implications.
Bug fixes:
* Fix an issue where a forked process deletes the parent's pidfile (#8231)
* Fix crashes when enabling io-threads-do-reads (#8230)
* Fix a crash in redis-cli after executing cluster backup (#8267)
* Handle output buffer limits for module blocked clients (#8141)
Could result in a module sending reply to a blocked client to go beyond the limit.
* Fix setproctitle related crashes. (#8150, #8088)
Caused various crashes on startup, mainly on Apple M1 chips or under instrumentation.
* Backup/restore cluster mode keys to slots map for repl-diskless-load=swapdb (#8108)
In cluster mode with repl-diskless-load, when loading failed, slot map wouldn't
have been restored.
* Fix oom-score-adj-values range, and bug when used in config file (#8046)
Enabling setting this in the config file in a line after enabling it, would
have been buggy.
* Reset average ttl when empty databases (#8106)
Just causing misleading metric in INFO
* Disable rehash when Redis has child process (#8007)
This could have caused excessive CoW during BGSAVE, replication or AOFRW.
* Further improved ACL algorithm for picking categories (#7966)
Output of ACL GETUSER is now more similar to the one provided by ACL SETUSER.
* Fix bug with module GIL being released prematurely (#8061)
Could in theory (and rarely) cause multi-threaded modules to corrupt memory.
* Reduce effect of client tracking causing feedback loop in key eviction (#8100)
* Fix cluster access to unaligned memory (SIGBUS on old ARM) (#7958)
* Fix saving of strings larger than 2GB into RDB files (#8306)
Additional improvements:
* Avoid wasteful transient memory allocation in certain cases (#8286, #5954)
Platform / toolchain support related improvements:
* Fix crash log registers output on ARM. (#8020)
* Add a check for an ARM64 Linux kernel bug (#8224)
Due to the potential severity of this issue, Redis will print log warning on startup.
* Raspberry build fix. (#8095)
New configuration options:
* oom-score-adj-values config can now take absolute values (besides relative ones)
(#8046)
Module related fixes:
* Moved RMAPI_FUNC_SUPPORTED so that it's usable (#8037)
* Improve timer accuracy (#7987)
* Allow '\0' inside of result of RM_CreateStringPrintf (#6260)
==== speexdsp ====
- Update dependencies and update spec file
==== sudo ====
Version update (1.9.4p2 -> 1.9.5p1)
Subpackages: sudo-plugin-python
- Update to 1.9.5.p1
* Fixed a regression introduced in sudo 1.9.5 where the editor run
by sudoedit was set-user-ID root unless SELinux RBAC was in use.
The editor is now run with the user's real and effective user-IDs.
- News in 1.9.5
* Fixed a crash introduced in 1.9.4 when running "sudo -i" as an
unknown user. This is related to but distinct from Bug #948.
* If the "lecture_file" setting is enabled in sudoers, it must now
refer to a regular file or a symbolic link to a regular file.
* Fixed a potential use-after-free bug in sudo_logsrvd when the
server shuts down if there are existing connections from clients
that are only logging events and not session I/O data.
* Fixed a buffer size mismatch when serializing the list of IP
addresses for configured network interfaces. This bug is not
actually exploitable since the allocated buffer is large enough
to hold the list of addresses.
* If sudo is executed with a name other than "sudo" or "sudoedit",
it will now fall back to "sudo" as the program name. This affects
warning, help and usage messages as well as the matching of Debug
lines in the /etc/sudo.conf file. Previously, it was possible
for the invoking user to manipulate the program name by setting
argv[0] to an arbitrary value when executing sudo.
* Sudo now checks for failure when setting the close-on-exec flag
on open file descriptors. This should never fail but, if it
were to, there is the possibility of a file descriptor leak to
a child process (such as the command sudo runs).
* Fixed CVE-2021-23239, a potential information leak in sudoedit
that could be used to test for the existence of directories not
normally accessible to the user in certain circumstances. When
creating a new file, sudoedit checks to make sure the parent
directory of the new file exists before running the editor.
However, a race condition exists if the invoking user can replace
(or create) the parent directory. If a symbolic link is created
in place of the parent directory, sudoedit will run the editor
as long as the target of the link exists. If the target of the
link does not exist, an error message will be displayed. The
race condition can be used to test for the existence of an
arbitrary directory. However, it _cannot_ be used to write to
an arbitrary location.
* Fixed CVE-2021-23240, a flaw in the temporary file handling of
sudoedit's SELinux RBAC support. On systems where SELinux is
enabled, a user with sudoedit permissions may be able to set the
owner of an arbitrary file to the user-ID of the target user.
On Linux kernels that support "protected symlinks", setting
/proc/sys/fs/protected_symlinks to 1 will prevent the bug from
being exploited. For more information see
https://www.sudo.ws/alerts/sudoedit_selinux.html.
* Added writability checks for sudoedit when SELinux RBAC is in use.
This makes sudoedit behavior consistent regardless of whether
or not SELinux RBAC is in use. Previously, the "sudoedit_checkdir"
setting had no effect for RBAC entries.
* A new sudoers option "selinux" can be used to disable sudo's
SELinux RBAC support.
* Quieted warnings from PVS Studio, clang analyzer, and cppcheck.
Added suppression annotations for PVS Studio false positives.
==== vlc ====
Subpackages: libvlc5 libvlccore9 vlc-codec-gstreamer vlc-lang vlc-noX vlc-qt vlc-vdpau
- Add vlc-CVE-2020-26664.patch: mkv: Ensure we don't use an
EbmlDummy element for something it's not (CVE-2020-26664,
boo#1180755).
==== wireshark ====
Subpackages: libwireshark14 libwiretap11 libwsutil12 wireshark-ui-qt
- provide helpful error message if user doesn't have permissions to run dumpcap
(bsc#1180102)
add wireshark-0001-dumpcap-permission-denied.patch
==== xfce4-appfinder ====
Version update (4.16.0 -> 4.16.1)
Subpackages: xfce4-appfinder-lang
- Update to version 4.16.1
* Launch applications as children again
==== xfce4-screensaver ====
- Unbreak Leap build.
* Make "%(_libexecdir}" file list more explicit, thus avoiding
'/usr/lib/debug' being picked up on Leap, where libexec is
'/usr/lib'.
==== xfce4-whiskermenu-plugin ====
Version update (2.5.1 -> 2.5.2)
Subpackages: xfce4-whiskermenu-plugin-lang
- Update to version 2.5.2
* Do not reparent launched programs.
(gxo#panel-plugins/xfce4-whiskermenu-plugin#32)
* Translation updates
==== yast2-bootloader ====
Version update (4.3.16 -> 4.3.17)
- The logic for calculating a device udev link is now delegated to
the yast2-storage-ng module (jsc#SLE-17081, also related to
bsc#1177926 and bsc#1169874).
- 4.3.17
==== yast2-storage-ng ====
Version update (4.3.35 -> 4.3.37)
- Partitioner: removed warning for too small EFI system partition.
- Proposal: reuse pre-existing EFI partition even if it's small
- Related to bsc#1177358, bsc#1170625 and bsc#1119318.
- 4.3.37
- Added API methods to get the preferred name to reference a block
device or its filesystem (jsc#SLE-17081, also related to
bsc#1177926 and bsc#1169874).
- 4.3.36
==== zypper ====
Version update (1.14.41 -> 1.14.42)
Subpackages: zypper-log zypper-needs-restarting
- Fix source-download commnds help (bsc#1180663)
- man: Recommend to use the --non-interactive global option
rather than the command option -y (bsc#1179816)
- Extend apt packagemap (fixes #366)
- --quitet: Fix install summary to write nothing if there's
nothing todo (bsc#1180077)
- Prefer /run over /var/run.
- version 1.14.42
312
days inactive
312
days old
0 comments
1 participants
participants (1)
-
Dominique Leuenberger